NEWS AND INSIGHT

Personal Data Protection Board’s 20 Recent Decision Summaries


22 September 2021

Personal Data Protection Board’s 20 Recent Decision Summaries

Personal Data Protection Board (“Board”) has published summaries of 20 recent Decision on 2 and 9 of August.

Decision No. 2019/170: In the decision that is made upon the personal data breach notification of a retail company; it is understood that while some customers create an account on the website, personal data of some customers are inadvertently transferred to the data controller’s internal systems and to the third parties that it works with via an URL. Also, it is understood that this situation is realized during the routine inspection. On the grounds that data breach is realized approximately one year later than the occurrence of data breach, The Board based on the following grounds; (i) the company does not have the alarm systems of log record/tracing or even if it has these, they are not used effectively in a timely manner and therefore necessary controls are not concluded by the company, (ii) on the grounds that personal data can be viewed by third parties via URL, the tests run at design phase were not sufficient or the tests were not carried out at all, levied a fine of 50,000 TL on data controller due to its failure to take necessary technical and administrative measures.

Decision No. 2020/113: In the decision that is made upon the data breach notification of an electronic sale service provider company, Board on the following grounds; (i) before the occurrence of data breach, the relevant system is accessed by an employee of the data controller without any restrictions from public connections are shared other than the internet network belonging to the data controller, (ii) penetration tests are conducted after the data breach, (iii) there are vulnerabilities such as SQL Injection and Cross Site Scripting that may cause access to critical information in-pre breach systems, (iv) due to the absence of an SSL Certificate in the mobile application, it is easy to eavesdrop the application traffic, (v) the relevant policies and breach response plans were formed after the breach, (vi) no corporate training and awareness activities were organized before the data breach occurred, and finally (vii) the data breach can only be understood after the party who committed the data breach has contacted the data controller, levied a fine of 200,000 TL on data controller.

Decision No. 2020/201: In the decision that is made upon the data breach notification of a bank, Board on the following grounds; (i) breach has occurred in a way that notifications regarding 905 customers were sent to the other customers and therefore personal data of data subjects, such as identity, customer transactions and financial information are affected, (ii) the notifications that are sent inadvertently are sent via internal system application of data controller, and it is understood that even though the functions and methods that are technically correct, it is understood that there are is not enough control over the parameters and the data breach has occurred due to absence of this technical measure; considering the fact that these mistakes and absences shall be detected and fixed before it is on air, levied a fine of 75,000 TL on data controller.

Decision No. 2020/357: In the decision that is made upon the data breach notification of insurance company, Board on the following grounds; (i) the breach has occurred because subcontractor employee sent the list containing the information of 91 customers regarding their name-surname, contact and license plate information which are kept in the system of data controller to its personnel e-mail through the corporate e-mail address assigned to him, (ii) the concerning data is identifiable personal data, and this breach shows that correct and accurate procedures regarding personal data protection are not duly integrated into the data controller’s work and operation, (iii) the data controller is insufficient in terms of technical measures within the scope of “Personal Data Security Guide” published by the Authority, (iv) the fact that all of the employees involved in data breach did not receive the personal data protection training, shows that the company did not take adequate administrative measures to ensure the personal data security, levied a fine of 90,000 TL on the data controller.

Decision No. 2020/530:  In the decision that is made upon the data breach notification of a bank, Board, on the following grounds; (i) even though in the data breach notification it is stated that the breach is concerned about 23 people, the bank personnel who caused the data breach has made 1052 KKB search between the dates 1 January 2019 – 5 December 2019 and the aforementioned personnel has no reasonable explanation regarding these searches, (ii) considering the number of affected person, despite 23 people in the screen shot sent to the Institution, possibility of more people being affected by this breach and the possibility of the relevant personnel taking the information out of the bank, (iii) the fact that there is no limitation on the mentioned personnel’s KKB search before the occurrence of the breach, (iv) considering the amount of searches made by the relevant personnel is much more than its regions average and the fact that this situation is not examined at all, additionally the data breach which is the subject of this decision is learned one year later from the starting of data breach upon the notification of the breach, according to these, it is understood that adequate supervision and surveillance has not been carried out, (v) the personal data protection law training carried out by the data controller is not sufficient, levied a fine of 200.000 TL on the data controller by considering the unfairness of the offense, the fault of the data controller and the economic situation of it.

Decision No. 2020/567: In the decision that is made upon the data breach notification of a toy firm, Board, on the following grounds; (i) in order to ensure the data security in terms of access to personal accounts it is necessary to verify user identities; two-factor authentication method (SMS/Captcha) is planned to be published by the data controller after the mentioned data breach has occurred, and therefore, the necessary technical measures to ensure data security are not taken, (ii) during the account creation, customers are not forced to create a strong passwords, (iii) the fact that during the time of the breach, until the web application firewall (WAF) detects whether the unauthorized access action is an attack or not, some accounts may be accessed without authorization by the attackers and therefore it is understood that the data controller is unable to ensure the security of application, levied a fine of 75.000 TL on the data controller who fails to take necessary technical measures to ensure the data security.

Decision No. 2020/715: In the decision that is made upon the data breach notification of a e-commerce company, Board, on the following grounds; although it is stated that the e-mail addresses and passwords that caused the mentioned breach were not obtained through the website of the data controller and there is no identity, contact or customer transaction data affected by this breach, confidentiality of the personal data is compromised by the unauthorized access to the mentioned accounts and this constitutes a data breach, (ii) the fact that data controller limited the number of failed login attempts from the same IP address after the data breach has occurred, and the breach could have been prevented or its effects could be reduced if the said measures were to be taken before the breach occurs, this indicates that the data controller did not take adequate and necessary technical measures to ensure the data security before the data breach, (iii) this breach has affected data of 832 people regarding their e-mails and passwords, (iv) the data controller did not ensure that the passwords of its users are changed periodically, (v) the rule definition to prevent successful login with the same IP address via the web application firewall (WAF) is formed after the breach instead of before the breach, (vi) although there is no significant damage as a result of the breach, considering the level of use of the mentioned website and the personal data it contains, a serious risk is occurred due to the data controller’s failure to take necessary measures, levied a fine of 165.000 TL on the data controller by considering the unfairness of the offense, the fault of the data controller and the economic situation of it.

Decision No. 2020/816: In the decision that is made upon the data breach notification of a technology firm, Board, on the following grounds; (i) breach affected only 1 person’s personal data, (ii) a notification is made to the affected data subject via telephone, (iii) it is unlikely that the personal data regarding the mentioned breach to have a negative impact on the data subject, (iv) the e-mail which causes the breach is deleted, (v) the data controller has intervened in the breach in a short time, decided that there is no action to be taken against the data controller.  

Decision No. 2020/935: In the decision that is made upon the data breach notification of an insurance firm, Board, on the following grounds; (i) one person is affected from the breach, (ii) the data affected from this breach are data regarding identity, contact and health, (iii) the data controller complies with its obligation to notify the Authority of the data breach as soon as possible (within 72 hours), (iv) breach notification will be made to data subjects on the specified dates, decided that data controller shall make the notification to data subjects and the send the confirmative documents regarding the deletion of the mentioned data by the customer to whom it is sent inadvertently to the Authority.

Decision No. 2020/957: In the decision that is made upon the data breach notification of an pharmaceutical firm, Board, on the following grounds; (i) data breach is realized just after 13 minutes  of its occurrence, and the breach is dealt with 2 hour later, (ii) the fact that mentioned breach has occurred during the transition to a new server for the purposes of increasing the security level, (iii) the breach occurred in the form of inadvertently sending the payroll information of the employees of the data controller to other employees of it, and this situation is unlikely to have a negative effect, (iv) e-mails that caused the data breach are deleted and the necessary warnings are made to the people whom these e-mails are sent, (v) after the occurrence of the data breach, necessary administrative and technical measures are taken on the matters that caused the data breach at the first place, decided that at this point there is no action to be taken against the data controller. Also, due to its failure to notify the Board of the breach within 72 hours, it is notified to the data controller that in case the processed data is illegally obtained, data controller is obligated to notify the Board and data subjects, and data controller is instructed to send the confirmative documents regarding to necessary notifications are made to data subjects about the breach and necessary warnings are made about deletion of e-mails to Authority.

Decision No. 511-512-513: In the decision that is made upon the allegation that the lawyers have unlawfully accessed the personal data in the execution files without the power of attorney, and that the personal data in the execution files of the indebted, in which they are debtee, are illegally transferred to the attorneys of the debtee, the Board, on the following grounds; (i) pursuant to the article 46 of Attorneys’ Act, in order to collect their clients’ receivables, lawyers can examine their clients’ litigation and execution files without presenting a power of attorney, and since the attorneys of the debtee can carry out personal data processing activities regarding the execution files of indebted, in which they are the debtee, based on the principle of “explicitly stipulated in law” pursuant to the Law No. 6698, and therefore there is no action to be taken, (ii) also, pursuant to the Article 2 of the Attorneys’ Act, the relevant authorities are obligated to submit the information and documents that are required by the lawyers to perform their duties, for their examination, and pursuant to the Article 8 of Law No. 6698 “Provisions in other laws regarding the transfer of personal data are reserved.” Since the personal data can be transferred by the personal in the execution office to enable the lawyers to fulfill their duties, decided that there is no action to be taken regarding the allegations of personal data in the execution files of the indebted, in which they are debtee, are illegally being transferred to the attorneys of the debtee by the Ministry of Justice.

Decision No. 2020/50: In the decision that is made upon the personal data breach notification of a retail clothing firm, Board, on the following grounds; (i) the company do not have the alarm systems of log record/tracing or even if it has these, they are not used effectively in a timely manner and therefore necessary controls are not concluded by the company, (ii) based on the fact that personal data can be viewed by the third parties via the URL, the tests that are made while the website was still in design phase were not sufficient or the tests were not carried out at all, levied a fine of 50.000 TL on the data controller due to late realization of the data breach.

Decision No. 2020/345: In the decision that is made upon the data breach notification of the data controller who carries out its activities in the field of computer games, Board, on the following grounds; (i) the data breach occurred upon the termination of the business relationship with a former employee of the data controller in the form of the source code and data files which are the work of product of the person are being unauthorizedly uploaded to GitHub, and with the uploading of source codes to the relevant website a security vulnerability has occurred; since the mentioned source codes potentially may cause other security vulnerabilities by being analyzed by third parties, it is understood that the data controller did not take the necessary technical and administrative measure in terms of personal data security at an adequate level, (ii) since the breach could only be detected approximately 2 years after its occurrence; it is understood that security checks were not carried out regularly, and the technical and administrative measures regarding the personal data security tracking taken by the data controller were insufficient, (iii) although many policies were signed by the personnel of the data controller, the fact that mentioned employee copied the mentioned files, including the personal data to his/her personal portable storage device indicates that these policies were not effectively implemented and that adequate level of awareness has not be reached, (iv) lastly, data breach is not notified to the Board in time, levied a fine of 130.000 TL on the data controller.

Decision No. 2020/359: In the decision that is made upon the data breach notification of a bank, Board, on the following grounds; (i) the data breach is detected approximately 1 year after the breach during the annual checks and this indicates that the personal data security tracking was not carried out by the data controller at appropriate time intervals, (ii) the fact that controls and regulations such as limiting user log records, disabling screens to unnecessary roles, adding a warning text regarding to protection of personal data are made not before the breach but after the breach, and that indicates that the relevant technical and administrative measures were not taken before occurrence of the breach, (iii) not all of its employees have completed the training on personal data security, (iv) the fact that aforementioned breach was not notified to the Board on time, reasonable efforts were not made to notify all the persons affected by this breach, and relevant information and documents requested by the Board were not submitted to the Board, levied a fine of 450.000 TL on the data controller.

Decision No. 2020/421: In the decision that is made upon the data breach notification of a data controller operating in the personal care sector, Board, on the following grounds; (i) the breach has been occurred over 14,000 IPs and this additional traffic to the normal traffic of the data controller could not be detected by the data controller, and this breach was only be detected upon the communication of the unidentified people who committed this breach via e-mail, (ii) besides the 2092 people to whose accounts has been unauthorizedly accessed, many unsuccessful attempts were not detected by the data controller indicates a deficiency in the monitoring of the information networks and the detection of situations that should not happen, levied a fine of 210.000 TL on the data controller.

Decision No. 2020/463:  In the decision that is made upon the data breach notification of a data controller operating in pharmaceutical industry, Board, on the following grounds; (i) Data Domain Server data, where all servers and data that are critical for the data controller to continue its activities, as well as backup files of other servers are stored, are deleted, (ii) although it can be determined exactly, approximately 1000 people were affected by the breach and the breach was detected after the company employees could not access the system, (iii) a multinational company processing sensitive personal data shall perform necessary penetration tests and risk analyzes against such attack, and it shall identify these threats and cover these security risks and take measures regarding the data security, (iv) and finally, the fact that data on the server, including backup files of the servers are deleted, constitutes a violation of the principle that the backed up personal data should be accessible only by the system administrator and must be outside the network, levied a fine of 125.000 TL on the data controller.

Decision No. 2020/465: In the decision that is made upon the data breach notification of a data controller who provides corporate software service, Board, on the following grounds; (i) the fact that data controller becomes aware of the data breach after 5 months of its occurrence indicates that the necessary security controls and audits were not carried out on time, (ii) the mentioned breach is caused by the lack of full awareness of password security of the end users of the data controller, (iii) the fact that more than 6 TB of data is stored on a share drive and the data on this drive is stolen due to the fact that the amount of data stored in this drive is so high, and the data controller did not take necessary administrative measures to reduce the risk of data loss against such attacks, (iv) data controller made the notification 55 days late, levied a fine of 125.000 TL on the data controller.

Decision No. 2020/532: In the decision that is made upon the data breach notification of an insurance company, Board, on the following grounds; (i) the system error that caused the breach is due to the application software that has been being used since 2011; in order to ensure the data security it was necessary to constantly monitor this systematic error in the software that caused the data breach, (ii) considering that there is 5-day delay between the time of occurrence of the breach and the time of its detection, that data controller did not perform the necessary controls and audits on time, since an organization that carries out insurance activities shall be more careful in the security of information systems, the system error that caused the data breach should have been corrected before the transaction is on air, levied a fine of 30.000 TL on data controller.

Decision No. 2020/763: In the decision that is made upon the data breach notification of a data controller which provides online grocery shopping services, Board, on the following grounds; (i) the fact that breach occurred in the form of inadvertently sending the e-mail addresses of its 43 customers in the subject line of the e-mail and that personal data affected by this breach only consist of the e-mail addresses of its customers and the names and surnames that are written in these e-mails addresses of customers, (ii) the fact that data subjects have been notified of the breach and the confirmative documents regarding these have been submitted to the Authority, (iii) the risk of the breach having an adverse effect on people affected by this breach is unlikely, (iv) 400 customers to whom erroneous e-mails were sent were requested to destroy the e-mails that caused the breach, (v) the data controller has fulfilled its obligation to notify the Authority of the data breach “as soon as possible”, decided that there is no action to taken against the data controller at this point.

Decision No. 2020/934: In the decision that is made upon the data breach notification of a data controller operating in energy sector, Board, on the following grounds; (i) only two users from Turkey were affected by this breach, (ii) the file that is subject of this breach may have been accessed by only eight users before it was removed from access, (iii)  all of these 8 users were contacted with and they all confirmed that they all understand and accept their confidentiality obligations and that they will not use or share any relevant password information, (iv) due to the nature of the data that is subject of this breach, the probability of it having negative effect is low, (v) after the breach, the concerned passwords in the platform are encrypted and masked, and this masking measure is in accordance with the Personal Data Security Guide, (vi) after the breach, the detected file has been promptly removed by the data controller, (vii) the passwords of the platform users who are affected by this breach are renewed and a warning e-mails stating that they have to change their passwords are sent, although it is very unlikely for this information to have an adverse effect, these measures taken by the data controller indicate that data controller has planned and implemented the necessary technical and administrative measures, decided that there is no need to levy a fine against data controller. Also, even though the notification is not made within 72 hours, considering the multinational structure of the data controller and the necessary time to determine the countries of the people who are affected by this breach and learning the notification obligations of these countries, it is decided that exceeding 72-hour period could be considered reasonable. It has been determined that users who are likely to be affected by the breach are warned to change their passwords and to change these passwords in case they happen to be using the mentioned passwords on other platforms, and despite the fact that many information regarding the breach has been shared in these warning, the adequate amount of information regarding the time of the breach and possible results of this breach has not been shared with. It is decided to instruct the data controller to be more careful and diligent regarding the mentioned matters